Access in-depth special reports dedicated to key trends and developments affecting Electronic Payments globally. All reports are editorially independent and designed to provide unique insight.

Company & Market profiles, Exclusive interviews, Opinion pieces and Data can be found exclusively for Subscribers

View Special Reports

Data

Exclusive data compiled by our expert analysts on major trends in the sector.

View Data

Subscriber Editions

Read our latest subscriber edition, as well as the archives, to see features, commentary, analysis and more.

View Subscriber Editions

Country Surveys

Access country reports containing market sizing data along with local insight on trends, topics and issues impacting that countries payments sector

See Country Surveys

Fintrack Editions

Every month, FinTrack will showcase the latest innovations from financial providers around the world. Each innovation is assessed and rated on key criteria, to assist with identifying, tracking & understanding key innovation globally.

With little more than a month left in both the peak trading period and 2009, many merchants are now in a code freeze, a period during which no changes can be made to their payments processing systems.

However, despite this and pressured by the seasonal rise in business activity, retailers must sometimes implement quick-fix solutions to address payment or fraud management challenges that arise, Pritesh Patel, a client and technical services consultant with electronic payments processing and risk solutions specialist CyberSource told EPI.

Although these ‘patches’ may be effective in the short term, steps should be taken to develop a solution that is both long-term, and fit for purpose, Patel continued. Specifically, merchants should be looking at current and future threats to their businesses and determining how they will be addressed in the year ahead.

“A variety of threats abound, but a payment data security breach is the nightmare scenario for many eCommerce merchants,” stressed Patel.

Threats

He noted that the traditional method of protecting sensitive online information is to encrypt it, but as some retailers have found, to their cost, encryption is not enough to keep payment details safe from intruders.

On what has become a security solution being widely hailed as a major advance, end-to-end encryption, Patel said that while solutions such as these undoubtedly have their merits, they are focused on minimising risk rather than eliminating it.

“Encryption requires constant ongoing management and can often be a costly overhead,” explained Patel, who also noted that as systems are enhanced or new systems introduced, care must be taken to ensure that they fit into and comply with the organisation’s encryption paradigm.

Perhaps most importantly, he continued, individuals within the organisation know where the payment data is and potentially how it can be accessed.

“Ultimately, by going down the encryption route, the organisation’s leaders are pitting their IT security teams against the criminal world,” said Patel. “They are betting on those teams being able to keep payment data safe from attack and preserving the reputation and future of the company.”

Protection solutions

Ultimately, the most effective way of preventing data theft is to eliminate the data from the payment processing system, believes Patel.

“If a shop is empty of physical goods, there is nothing for anyone to steal,” he said. “In the same way, if no payment data exists on an organisation’s systems, the risk of a breach is effectively eliminated.”

Essentially, he says, the most effective approach to data protection is to remove temptation and risk by completely eradicating the storage, capture and back-office exposure of all customer data.

“There is a myth that retailers cannot operate their business or service their customers without full payment data,” Patel added. “On the contrary, some companies have evolved to the point where they can operate without transmitting, storing or processing payment data – they have removed all system and staff interaction with that information.”

In this regard Patel was referring to payment tokenisation, an approach that payments processor First Data recently announced that it was pursuing in an alliance with US data service specialist EMC Corporation’s security division, RSA (see EPI 267).

Payment tokenisation solutions allow merchants to transfer all payment data storage to a security–certified service provider. A payment token and a masked account number are returned for use by the merchant’s system to reference the transaction in subsequent actions. Because only a token relating to each individual transaction is stored, the data is not left vulnerable to being compromised by insiders, or hacked by fraudsters.

However, while tokenisation is essential in eliminating payment data, it only solves one element in the data security process, Patel said. He notes that to eradicate another data touch-point, merchants should look to hosted payment acceptance.

“This process enables customers’ payment information to be captured directly by the payment network, removing the need for staff or system interaction,” he added.

“This allows a retailer to maintain the look-and-feel of their brand, while negating the need for payment data to touch their network. Because customer payment details are not entered directly onto a merchant’s network, malware installed on their systems will provide significantly less payload for the perpetrators.”

Opportunity

Patel emphasised that protecting customers’ personal and payment details is absolutely vital to a company’s brand image and reputation, and that the annual code freeze presents an opportunity to strategise for 2010 and evaluate existing payment and fraud management systems.

“Investigating ways to eliminate staff and system contact with payment information will provide a strategy that is safer and easier to manage, and less costly to certify,” said Patel. “Working with a third party to secure customer data could help merchants mitigate the risk of an expensive data breach.”